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DETAILED ACTION 
Response to Arguments 

1. Applicant's arguments with respect to claiml, 3-16, 18-25, and 27-30 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1, 3-16, 18-25, 27-30 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Thomas et al. US 20040039827 in view of Karjala et al. US 20040268148. 

Regarding claim 1, Thomas discloses an Apphcation Gateway Module suitable 
for use in a telecommunication system wherein a service network authenticates a user and 
authorizes the user for accessing a service offered by a service provider (paragraph 
[0064]-[0067], authentication and authorization and where an intermediary server is 
configured to ensure that access to the intranet 160 via the intermediary server), the 
Application Gateway Module arranged for intercepting application messages between the 
user and the service and for identifying said user and said service (paragraph [0259] 
where an LSP service intercepts messages/calls). Thomas discloses means for 
obtaining authorization decision on whether the user is allowed to access the service (Fig. 
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3, Authorization and authentications). Thomas discloses the Application Gateway 
Module comprising: means for assigning a service session identifier intended to identify 
those application messages exchanged between the user and the service and that belong 
to a same service delivery authorized for said user (paragraph [0075], service session 
identifier assigned to identify messages exchanged). Thomas discloses means for 
configuring a first finite- state machine with a number of statuses intended to identify 
specific events in service delivery, the first finite state machine configured to control 
service progression (paragraph [0286] - state machine controlling service 
progression). Thomas discloses means for initiating a specific instance of the first finite- 
state machine, said specific instance being identified by the assigned service session 
identifier (paragraph [0069] and [0286]) and means for processing service policies 
applicable to said specific events and resulting in a state transition in the specific instance 
identified by the assigned service session identifier (paragraph [0068] and [0069] 
where services are processed using a processing module and stored and used for 
session, state or identification purposes). However, Thomas is silent on activating 
service pohcies applicable to said specific events. 

Karjala teaches activating service policies applicable to said specific events 
(paragraph [0047] where user initiates an automated certificate enrollment process 
by activating a policy that requires certificate enrollment). 

At the time of invention, it would have been obvious to a person of ordinary skill 
in the art to modify the invention of Thomas and add activating service policies 
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applicable to said specific events. The motivation would be to provide secure access to a 
communication network (paragraph [0003]). 



Regarding claim 15, Thomas discloses telecommunication system wherein a 
service network authenticates a user and authorizes the user for accessing a service 
offered by a service provider (paragraph [0059] and Fig. lA authentication and 
authorization by system network), the Authorization Module arranged for deciding 
whether a user is allowed to access a service (paragraph [0059] where access to the 
network is permitted after successful authentication). Thomas discloses means for 
receiving a service authorization request from an Application Gateway Module 
(paragraph [0058] - service authorization request) and means for returning to the 
Application Gateway Module a response on whether the user is granted access to the 
requested service (paragraph [0059] where access is authenticated and permitted 
therefore a response returned on whether the user is granted access to the requested 
service). Thomas discloses the Authorization Module comprising: means for generating 
a service session identifier intended to correlate those application messages exchanged 
between the user and the service and that belong to a same service deUvery authorized for 
said user (paragraph [0072] - where service session identifier is generated and 
stored). Thomas discloses means for configuring a second finite-state machine with a 
number of status intended to identify specific events in service progression, the second 
finite-state machine usable by the Authorization Module to act over the Application 
Gateway Module to control the service progression (paragraph [0286] - state machine 
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controlling service progression) and means for initiating a specific instance of the 
second finite-state machine, said specific instance being identified by said service session 
identifier (paragraph [0069]) and means for processing service policies applicable to 
said specific events and resulting in a state transition in the specific instance identified by 
the assigned service session identifier (paragraph [0068] and [0069] where services are 
processed using a processing module and stored and used for session, state or 
identification purposes). However, Thomas is silent on activating service policies 
applicable to said specific events. 

Karjala teaches activating service policies applicable to said specific events 
(paragraph [0047] where user initiates an automated certificate enrollment process 
by activating a policy that requires certificate enrollment). 

At the time of invention, it would have been obvious to a person of ordinary skill 
in the art to modify the invention of Thomas and add activating service policies 
applicable to said specific events. The motivation would be to provide secure access to a 
communication network (paragraph [0003]). 

Regarding claim 25, Thomas discloses a method for authorizing a user of a 
service network to access a service offered by a service server of a service provider, the 
user aheady authenticated by the service network, the server arranged to deliver a service 
that comprises a plurahty of transactions by exchanging a plurality of application 
messages with the user (paragraph [0059] and Fig. lA authentication and 
authorization by system network), the method comprising the steps of: obtaining a first 
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authorization decision on whether the user is allowed to access the service (Fig. 3, 
Authorization and authentications). Thomas discloses generating and assigning a 
service session identifier intended to identify those appUcation messages exchanged 
between the user and the service and that belong to a same service delivery authorized for 
said user (paragraph [0075], service session identifier assigned to identify messages 
exchanged). Thomas discloses least one finite-state machine with a number of statuses 
intended to identify specific events in service delivery, the finite-state machine usable for 
controlling service progression (paragraph [0286] - state machine controlling service 
progression). Thomas discloses initiating a specific instance of the at least one finite- 
state machine, said specific instance being identified by the assigned service session 
identifier (paragraph [0069] and [0286]) and processing service policies applicable to 
said specific events and resulting in a state transition in the specific instance identified by 
the assigned service session identifier (paragraph [0068] and [0069] where services are 
processed using a processing module and stored and used for session, state or 
identification purposes). However, Thomas is silent on activating service policies 
applicable to said specific events. 

Karjala teaches activating service policies applicable to said specific events 
(paragraph [0047] where user initiates an automated certificate enrollment process 
by activating a policy that requires certificate enrollment). 

At the time of invention, it would have been obvious to a person of ordinary skill 
in the art to modify the invention of Thomas and add activating service policies 
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applicable to said specific events. The motivation would be to provide secure access to a 
communication network (paragraph [0003]). 

Regarding claim 3, Thomas discloses wherein the means for activating service 
policies include means for setting at least one element selected from a non-exhaustive list 
of references and attributes that comprises: a number of message field values to match, a 
number of specific actions to carry out on matching, a number of timer values to run, and 
a number of transactions to supervise (paragraph [0438] where flow timer is run). 

Regarding claim 4, Thomas discloses wherein the means for activating service 
policies include means for activating a global service policy independently of any service 
delivery in progress (paragraph [0013]). 

Regarding claim 5, Thomas discloses wherein the means for activating service 
policies include means for initiating an instance of a global service policy to apply as an 
individual service policy within a specific instance of the first finite-state machine, the 
individual service policy inheriting references and attributes from the global service 
policy (paragraph [0438]). 

Regarding claim 6, Thomas discloses further comprising means for overwriting 
references and attributes of an individual service policy with new references and 
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attributes during a service progression handled within a specific instance of the first 
finite- state machine (paragraph [0101]). 

Regarding claim 7, Thomas discloses wherein a particular state is associated with 

a number of individual service policies within a specific instance of the first finite-state 
machine, said instance identified by a given service session identifier (paragraph 
[0069]). 

Regarding claim 8, Thomas discloses wherein the means for obtaining an 
authorization decision include means for requesting a service authorization from an 
Authorization Module (paragraph [0067] where processing modules mclude an 
authentication manager). 

Regarding claim 9, Thomas discloses wherein the means for activating service 
policies include means for receiving from the Authorization Module at least one element 
applicable to set a service policy, the element selected from a non-exhaustive list of 
references and attributes that comprises: a number of message field values to match, a 
number of specific actions to carry out on matching, a number of timer values to run, and 
a number of transactions to supervise (paragraph [0438]). 
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Regarding claim 10, Thomas discloses wherein the means for activating service 
policies includes means for receiving a global service policy from the Authorization 
Module (paragraph [0058] and [0438]). 

Regarding claim 11, Karjala teaches means for receiving references and attributes 
from the Authorization Module applicable to overwrite an individual service policy with 
new references and attributes during a service progression handled within a specific 
instance of the first finite-state machine (paragraph [0050]). 

Regarding claim 12, Thomas discloses means for notifying to the Authorization 
Module a specific event in service progression (paragraph [0058]). 

Regarding claim 13, Thomas discloses means for requesting from the 
Authorization Module a further processing to determine an appropriate action to go on 
with the service progression (see Fig. 8 A and Fig. 8B). 

Regarding claim 14, Thomas discloses means for receiving from the 
Authorization Module an instruction selected from: access granted without restriction, 
another service to substitute a previous service requested, forced log out, and indication 
of a state transition (see abstract). 
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Regarding claim 16, Thomas discloses wherein the means for generating a service 
session identifier comprise means for including said service session identifier in the 
response to be returned to the Application Gateway Module on whether the user is 
granted access to the requested service (paragraph [0009]- providing secure access to 
resources maintained on private networks). 

Regarding claim 18, Thomas discloses wherein a particular state is associated 
with a number of service policies within a specific instance of the second finite- state 
machine, said instance identified by a given service session identifier (paragraph 
[0069]). 

Regarding claim 19, the combination of above discloses wherein the means for 
determining service policies comprise means for including in the response towards the 
Application Gateway Module at least one information element to activate a service policy 
within a specific state in the Application Gateway Module, said at least one information 
element selected from a non-exhaustive Ust of references and attributes that comprises: a 
number of message field values to match and a set of actions to carry out on matching a 
given message field value and a number of new timer values to run; and - a number of 
transactions to supervise (see above). 

Regarding claim 20, Karjala teaches wherein the means for including in the 
response towards the Application Gateway Module at least one information element to 
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activate a service policy include means for indicating that this is a global service policy to 
apply independently of any service delivery in progress (see Fig. 2) 

Regarding claim 21, Karjala teaches means for receiving a notification, from an 
Application Gateway Module indicating a specific event detected in service progression 
(paragraph [0020]). 

Regarding claim 22, Karjala teaches means for receiving a request, from an 
Application Gateway Module, asking for an instruction to proceed with a service 
progression (paragraph [0022]). 

Regarding claim 23, Thomas discloses means for sending towards the Apphcation 
Gateway Module an instruction selected from: access granted without restriction, another 
service to substitute a previous service requested, forced logout, and indication of a state 
transition (paragraph [0009]). 

Regarding claim 24, Thomas discloses a number of application servers and 
provisioning systems, the application message including a given service session identifier 
intended to identify a specific instance of the second finite- state machine in the 
Authorization Module (paragraph [0069]). 



Application/Control Number: 10/595,496 Page 12 

Art Unit: 2617 

Regarding claim 27, Thomas discloses wherein a particular state within the 
specific instance of the at least one finite-state machine is associated with a number of 
service pohcies (paragraph [0069]). 

Regarding claim 28, Thomas discloses wherein the step of activating service 
policies includes a step of setting at least one element selected from a non-exhaustive list 
of references and attributes that comprises: a number of message field values to match, a 
number of specific actions to carry out on matching, a number of timer values to run, and 
a number of transactions to supervise (paragraph [0438] where flow timer is run). 

Regarding claim 29, Thomas discloses a step of receiving at the service network 
an appUcation message originated at an entity selected from: a number of service servers 
of a service provider and a number of entities of a provisioning system, the application 
message including a given service session identifier intended to identify a specific 
instance of the at least one finite-state machine (paragraph [0069]). 

Regarding claim 30, Karjala teaches wherein the step of configuring at least one 
finite-state machine further comprises configuring a first finite- state machine in an 
Application Gateway Module and configuring a second finite-state machine in an 
Authorization Module (paragraph [0028]). 
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Conclusion 

1 . Any inquiry concerning this communication or earlier communications from the 
Examiner should be directed to Amanuel Lebassi, whose telephone number is (571) 270-5303. 
The Examiner can normally be reached on Monday-Thursday from 8:00am to 5:00pm. 

If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's 
supervisor, Nick Corsaro can be reached at (571) 272-7876. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application InfoiTnation Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free) or 703-305- 
3028. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist/customer service whose telephone number is (571) 272- 
2600. 

Amanuel Lebassi 
/A. L./ 
03/07/2011 

/HUY PHAN/ 

Primary Examiner, Art Unit 2617 



